Thanks, Hugo! Explicitly setting a long Strict-Transport-Security max-age of 31536000 (1 year) worked.
I was misled by this "cipher strength" part of the SSL Server Rating Guide linked by Qualsys, just for context:
Just by setting a long Strict-Transport-Security max-age meant that I could remove other tweaks I had made in my hiawatha,conf, namely these two lines can be removed without lowering the SSL report grade:
DHSize = 4096
MinTLSversion = 1.2
I made those tweaks following instructions found in various places across the internet for improving your SSL security settings. Apparently, these were rubbish!